b'                     OFFICE OF\n             THE INSPECTOR GENERAL\n                   U.S. NUCLEAR\n             REGULATORY COMMISSION\n\n\n                    System Evaluation of Security Controls\n                          for Standalone Personal\n                          Computers and Laptops\n\n\n                     OIG-05-A-18      September 22, 2005\n\n\n\n\n              EVALUATION REPORT\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                         September 22, 2005\n\n\n\n\nMEMORANDUM TO:             Luis A. Reyes\n                           Executive Director for Operations\n\n\n\nFROM:                      Stephen D. Dingbaum/RA/\n                           Assistant Inspector General for Audits\n\n\nSUBJECT:                   SYSTEM EVALUATION OF SECURITY CONTROLS\n                           FOR STANDALONE PERSONAL COMPUTERS AND\n                           LAPTOPS (OIG-05-A-18)\n\n\nAttached please find the Office of the Inspector General\xe2\x80\x99s report System\nEvaluation of Security Controls for Standalone Personal Computers and Laptops.\nRichard S. Carson and Associates, Inc., conducted this evaluation on our behalf\nand determined that:\n\n   \xc2\xbe Security controls for standalone PCs and laptops are not adequate.\n   \xc2\xbe Standalone PCs and laptops are not monitored for compliance with\n     Federal regulations.\n   \xc2\xbe IT coordinators have inconsistent understanding of disposal practices for\n     standalone PCs and laptops.\n\nThe weaknesses identified are not significant deficiencies or reportable\nconditions. During an exit conference on August 25, 2005, NRC officials\nprovided comments concerning the draft audit report, which were incorporated\ninto the report as appropriate. After reviewing the modifications, the agency\nopted not to submit formal written comments to this report.\n\nIf you have any questions or wish to discuss this report, please call me at\n415-5915 or Beth Serepca at 415-5911.\n\nAttachment: As stated\n\x0cDistribution\n\nJohn T. Larkins, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nG. Paul Bollwerk, III, Chief Administrative Judge, Atomic Safety andT\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJesse L. Funches, Chief Financial Officer\nJanice Dunn Lee, Director, Office of International Programs\nWilliam N. Outlaw, Director of Communications\nWilliam N. Outlaw, Acting Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nWilliam F. Kane, Deputy Executive Director for Reactor\n and Preparedness Programs, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research,\n State and Compliance Programs, OEDO\nJacqueline E. Silber, Deputy Executive Director for Information Services\n and Administration, and Chief Information Officer, OEDO\nWilliam M. Dean, Assistant for Operations, OEDO\nTimothy F. Hagan, Director, Office of Administration\nMichael R. Johnson, Director, Office of Enforcement\nGuy P. Caputo, Director, Office of Investigations\nEdward T. Baker, Director, Office of Information Services\nJames F. McDermott, Director, Office of Human Resources\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nCarl J. Paperiello, Director, Office of Nuclear Regulatory Research\nPaul H. Lohaus, Director, Office of State and Tribal Programs\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\n\x0c                        Office of the Inspector General\n                      Evaluation of Security Controls for\n                 Standalone Personal Computers and Laptops\n\n\n\n\n                             Contract Number: GS-00F-0001N\n                           Delivery Order Number: DR-36-03-346\n\n                                                 September 21, 2005\n\n\n\n\nThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official Nuclear Regulatory\n                       Commission position, policy, or decision, unless so designated by other official documentation.\n\x0c[Page intentionally left blank]\n\x0c                                                                       Security Controls for Standalone PCs and Laptops\n\n\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n         On December 17, 2002, the President signed the E-Government Act of 2002, which\n         included the Federal Information Security Management Act (FISMA) of 2002. FISMA\n         outlines the information security management requirements for agencies, which include\n         (1) an independent evaluation of an agency\xe2\x80\x99s information security program and practices\n         and (2) an evaluation of the effectiveness of information security control techniques.\n         FISMA also requires an assessment of compliance with requirements and related\n         information security policies, procedures, standards, and guidelines.\n\n         As part of the FY 2005 FISMA independent evaluation of the Nuclear Regulatory\n         Commission\xe2\x80\x99s (NRC) automated information security program, Richard S. Carson and\n         Associates, Inc. (Carson Associates), reviewed security controls for standalone personal\n         computers (PCs) and laptops.\n\n         PCs and laptops used at NRC are either (1) connected to the NRC local area network\n         (LAN) or (2) used as standalone1 systems. Some of the standalone PCs and laptops are\n         used to process safeguards2 and/or classified3 information. These are considered \xe2\x80\x9clisted\n         systems.\xe2\x80\x9d4 PCs and laptops connected to the NRC LAN are protected by the LAN\xe2\x80\x99s\n         security controls. The evaluation of security controls for listed systems was reported in\n         OIG-05-A-14, \xe2\x80\x9cOffice of the Inspector General System Evaluation of Listed Systems\n         That Process Safeguards and/or Classified Information,\xe2\x80\x9d dated August 4, 2005.\n\n         There are approximately 4,100 PCs and laptops connected to the NRC LAN, and there\n         are approximately 117 standalone PCs and laptops that are used to process safeguards\n         and/or classified information. However, the number of standalone PCs and laptops that\n         do not process safeguards and/or classified information is unknown, as these standalone\n         PCs and laptops are not tracked in a central location. Findings in this report pertain\n         primarily, but not exclusively, to NRC\xe2\x80\x99s standalone PCs and laptops that are not used to\n         process safeguards and/or classified information.\n\n\n1\n  For the purposes of this evaluation, standalone refers to a PC or laptop that is not configured for connectivity to the\n  NRC LAN. Standalone PCs or laptops that are not used to process safeguards and/or classified information may\n  be connected to the Internet, for example when an employee is on travel.\n2\n  Safeguards information is sensitive unclassified information that specifically identifies the (1) detailed security\n  measures of a licensee or an applicant for the physical protection of special nuclear material or (2) security\n  measures for the physical protection and location of certain plant equipment vital to the safety of production or\n  utilization facilities. Protection of this information is required pursuant to Section 147 of the Atomic Energy Act\n  of 1954, as amended.\n3\n  Classified information is information (such as a document or correspondence) that is designated National Security\n  Information, Restricted Data, or Formerly Restricted Data.\n4\n  Listed systems represent one of four categories used by NRC to group the agency\xe2\x80\x99s systems on its master inventory\n  of systems. A listed system is a computerized information system or application that (1) processes sensitive\n  information requiring additional security protections and (2) may be important to an NRC office\xe2\x80\x99s or region\xe2\x80\x99s\n  operations, but which is not a major application when viewed from an agency perspective.\n\n\n                                                            i\n\x0c                                                        Security Controls for Standalone PCs and Laptops\n\n\n\nPURPOSE\n\n      The objective of this review was to evaluate the effectiveness of NRC security policies,\n      procedures, practices, and controls for standalone PCs and laptops.\n\nRESULTS IN BRIEF\n\n      Carson Associates evaluated the security policies, procedures, practices, and controls for\n      standalone PCs and laptops and found that:\n\n          \xe2\x80\xa2   Security controls for standalone PCs and laptops that are not used to process\n              safeguards and/or classified information are not adequate.\n          \xe2\x80\xa2   Standalone PCs and laptops that are not used to process safeguards and/or\n              classified information are not monitored for compliance with Executive Order\n              13103, Computer Software Piracy.\n          \xe2\x80\xa2   IT coordinators\xe2\x80\x99 understanding of disposal practices for standalone PCs and\n              laptops that are used to process safeguards and/or classified information is\n              inconsistent.\n\n      Security Controls For Standalone PCs and Laptops Are Not Adequate\n\n      Security controls for PCs and laptops are typically provided by the network to which they\n      are connected. However, some NRC PCs and laptops are not connected to the NRC LAN\n      and, subsequently, fail to benefit from security controls provided by the LAN. Carson\n      Associates found that security controls for standalone PCs and laptops that are not used to\n      process safeguards and/or classified information are not adequate. For example, updates\n      to virus definitions and operating system software are not always performed. Security\n      controls for standalone PCs and laptops that are not used to process safeguards and/or\n      classified information are not adequate because users are not given sufficient guidance on\n      implementing security controls and the agency lacks a mechanism for assigning users\n      responsibility for implementing security controls on these PCs and laptops. In addition,\n      the agency lacks procedures for verifying that all required security controls are being\n      implemented on standalone PCs and laptops that are not used to process safeguards\n      and/or classified information. Inadequate security controls, such as the lack of updated\n      virus definitions and operating system updates, could result in the inadvertent release of\n      sensitive NRC information when a standalone PC or laptop that is not used to process\n      safeguards and/or classified information is connected to the Internet.\n\n      Standalone PCs and Laptops Are Not Monitored for Compliance with Executive\n      Order 13103\n\n      Executive Order 13103, Computer Software Piracy, requires all executive agencies to\n      ensure compliance with applicable copyright laws. The agency monitors for compliance\n      PCs and laptops that are connected to the NRC network and has procedures in place to\n      monitor standalone PCs and laptops that are used to process safeguards and/or classified\n\n\n                                               ii\n\x0c                                                                   Security Controls for Standalone PCs and Laptops\n\n\n\n        information. However, the agency does not have any procedures for monitoring\n        compliance of standalone PCs and laptops that are not used to process safeguards and/or\n        classified information and are not covered by the Infrastructure Services and Support\n        Contract (ISSC).5 As a result, the agency does not know its degree of compliance with\n        software licenses for all standalone PCs and laptops, which makes NRC, its employees,\n        and its contractors vulnerable to the consequences of unauthorized software use. Such\n        consequences could include fines and even imprisonment.\n\n        IT Coordinators\xe2\x80\x99 Understanding of Disposal Practices for Standalone PCs and\n        Laptops Is Inconsistent\n\n        Management Directive (MD) and Handbook 2.6, Information Technology Infrastructure,\n        describe the procedures for equipment removal requests. These procedures apply only to\n        information technology (IT) equipment that is not used to process safeguards and/or\n        classified information. The National Security Agency (NSA) has developed policies and\n        guidance for the proper disposal of IT equipment used to process classified information.\n        MD and Handbook 12.2, NRC Classified Information Security Program, and MD and\n        Handbook 12.6, NRC Sensitive Unclassified Security Program, describe procedures for\n        handling classified and safeguards6 information. MD and Handbook 12.5, NRC\n        Automated Information Security Program, also describe procedures for processing\n        safeguards and classified information. Carson Associates found that the disposal\n        procedures described by the IT coordinators for standalone PCs and laptops that are used\n        to process safeguards and/or classified information were inconsistent and not always in\n        accordance with policy and guidance from NSA and NRC. Disposal practices described\n        by the IT coordinators for standalone PCs and laptops that are used to process safeguards\n        and/or classified information are inconsistent because the NRC MD and Handbooks that\n        compose Volume 12, Security, do not clearly describe the disposal process and who is\n        responsible for administration of the disposal process. Without clearly defined\n        procedures for the disposal of standalone PCs and laptops that are used to process\n        safeguards and/or classified information, the agency may not be in compliance with\n        policy and guidance from NSA.\n\nRECOMMENDATIONS\n\n        This report makes recommendations to the Executive Director for Operations to improve\n        the security controls for standalone PCs and laptops. A consolidated list of\n        recommendations appears on page 11 of this report.\n\n\n\n\n5\n  The ISSC provides NRC with a variety of infrastructure services and support, including seat management. The\n  term seat management is typically used to describe an information technology outsourcing approach for acquiring\n  services from a single source in support of a desktop computing environment.\n6\n  NRC has determined that requirements for protecting safeguards data will be equivalent to those requirements for\n  classified data at the Confidential level.\n\n\n                                                        iii\n\x0c                                                       Security Controls for Standalone PCs and Laptops\n\n\n\nAGENCY COMMENTS\n\n     The Office of the Inspector General (OIG) provided this report in draft to agency officials\n     and discussed its content at an exit conference on August 25, 2005. We modified the\n     report as we determined appropriate in response to our discussion. Agency officials\n     generally agreed with the report\xe2\x80\x99s findings and recommendations and opted not to include\n     formal comments.\n\n\n\n\n                                              iv\n\x0c                                                    Security Controls for Standalone PCs and Laptops\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nCarson Associates   Richard S. Carson and Associates, Inc.\nDFS                 Division of Facilities and Security\nFISMA               Federal Information Security Management Act\nFY                  Fiscal Year\nISSC                Infrastructure Services and Support Contract\nIT                  Information Technology\nLAN                 Local Area Network\nMD                  Management Directive\nNRC                 Nuclear Regulatory Commission\nNSA                 National Security Agency\nNSIR                Office of Nuclear Security and Incident Response\nNTISSAM             National Telecommunication and Information Systems Security Advisory\n                    Memorandum\nOIG                 Office of the Inspector General\nOIS                 Office of Information Services\nPC                  Personal Computer\nSANS                System Administration, Audit, Network, Security\n\n\n\n\n                                           v\n\x0c                        Security Controls for Standalone PCs and Laptops\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              vi\n\x0c                                                                               Security Controls for Standalone PCs and Laptops\n\n\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\n\n1 Background .............................................................................................................. 1\n\n2 Purpose .................................................................................................................... 1\n\n3 Findings.................................................................................................................... 1\n    3.1       Security Controls For Standalone PCs and Laptops Are Not Adequate .. 2\n              3.1.1 Standalone PCs and Laptops Used to Process Safeguards and/or Classified\n                    Information ....................................................................................................... 2\n              3.1.2 Standalone PCs and Laptops Not Used to Process Safeguards and/or\n                    Classified Information ...................................................................................... 3\n    3.2       Standalone PCs and Laptops Are Not Monitored for Compliance with\n              Executive Order 13103.................................................................................. 5\n              3.2.1 Standalone PCs and Laptops Used to Process Safeguards and/or Classified\n                    Information ....................................................................................................... 5\n              3.2.2 Standalone PCs and Laptops Not Used to Process Safeguards and/or\n                    Classified Information ...................................................................................... 5\n    3.3       IT Coordinators\xe2\x80\x99 Understanding of Disposal Practices for Standalone\n              PCs and Laptops Is Inconsistent................................................................. 6\n              3.3.1 Standalone PCs and Laptops Used to Process Safeguards and/or Classified\n                    Information ....................................................................................................... 7\n              3.3.2 Standalone PCs and Laptops Not Used to Process Safeguards and/or\n                    Classified Information .................................................................................... 10\n4 Consolidated List of Recommendations ............................................................. 11\n\n5 OIG Response to Agency Comments .................................................................. 12\n\n\nAppendices\n\n    Appendix A: Scope and Methodology ............................................................... 13\n    Appendix B: Sample Rules of Behavior............................................................. 15\n\n\n\n\n                                                                  vii\n\x0c                        Security Controls for Standalone PCs and Laptops\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              viii\n\x0c                                                                   Security Controls for Standalone PCs and Laptops\n\n\n\n1          Background\n\nOn December 17, 2002, the President signed the E-Government Act of 2002, which included\nFISMA.7 FISMA outlines the information security management requirements for agencies,\nwhich include (1) an independent evaluation of an agency\xe2\x80\x99s information security program and\npractices and (2) an evaluation of the effectiveness of information security control techniques.\nFISMA also requires an assessment of compliance with requirements and related information\nsecurity policies, procedures, standards, and guidelines.\n\nAs part of the FY 2005 FISMA independent evaluation of NRC\xe2\x80\x99s automated information\nsecurity program, Carson Associates reviewed security controls for standalone PCs and laptops.\n\nPCs and laptops used at NRC are either (1) connected to the NRC LAN or (2) used as standalone\nsystems. Some of the standalone PCs and laptops are used to process safeguards and/or\nclassified information. These are considered \xe2\x80\x9clisted systems.\xe2\x80\x9d PCs and laptops connected to the\nNRC LAN are protected by the LAN\xe2\x80\x99s security controls. The evaluation of security controls for\nlisted systems was reported in OIG-05-A-14, \xe2\x80\x9cOffice of the Inspector General System Evaluation\nof Listed Systems That Process Safeguards and/or Classified Information,\xe2\x80\x9d dated August 4,\n2005.\n\nThere are approximately 4,100 PCs and laptops connected to the NRC LAN, and there are\napproximately 117 standalone PCs and laptops that are used to process safeguards and/or\nclassified information. However, the number of standalone PCs and laptops that do not process\nsafeguards and/or classified information is unknown, as these standalone PCs and laptops are not\ntracked in a central location. Findings in this report pertain primarily, but not exclusively, to\nNRC\xe2\x80\x99s standalone PCs and laptops that are not used to process safeguards and/or classified\ninformation.\n\n2          Purpose\n\nThe objective of this review was to evaluate the effectiveness of NRC security policies,\nprocedures, practices, and controls for standalone PCs and laptops.\n\n3          Findings\n\nCarson Associates evaluated the security policies, procedures, practices, and controls for\nstandalone PCs and laptops and found that:\n\n      \xe2\x80\xa2    Security controls for standalone PCs and laptops that are not used to process safeguards\n           and/or classified information are not adequate.\n\n\n\n\n7\n    The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the E-\n    Government Act of 2002 (Public Law 107-347), and replaces the Government Information Security Reform Act,\n    which expired in November 2002.\n\n\n                                                         1\n\x0c                                                                      Security Controls for Standalone PCs and Laptops\n\n\n\n\n       \xe2\x80\xa2   Standalone PCs and laptops that are not used to process safeguards and/or classified\n           information are not monitored for compliance with Executive Order 13103, Computer\n           Software Piracy.\n       \xe2\x80\xa2   IT coordinators\xe2\x80\x99 understanding of disposal practices for standalone PCs and laptops that\n           are used to process safeguards and/or classified information is inconsistent.\n\n3.1        Security Controls For Standalone PCs and Laptops Are Not Adequate\n\nSecurity controls for PCs and laptops are typically provided by the network to which they are\nconnected. However, some NRC PCs and laptops are not connected to the NRC LAN and,\nsubsequently, fail to benefit from security controls provided by the LAN. MD and Handbook\n12.5, NRC Automated Information Security Program, state that users shall take appropriate\nprecautions to protect the assets (hardware, software, data) provided for their use or to which\nthey have been granted access (e.g., workstations, microcomputers, LANs, and associated data).\nMD and Handbook 12.5 also state that users should install virus-checking software on all mobile\nor home computers used to access the NRC LAN and download updates at least weekly so that\nthe virus protection remains current.\n\nMD and Handbook 13.1, Property Management, require users to sign NRC Form 119,\n\xe2\x80\x9cCustodial Receipt for Sensitive Personal Property,\xe2\x80\x9d before receiving custody of sensitive\nequipment.8\n\n3.1.1 Standalone PCs and Laptops Used to Process Safeguards and/or Classified\n      Information\n\nThe evaluation of security controls for listed systems was reported in OIG-05-A-14, \xe2\x80\x9cOffice of\nthe Inspector General System Evaluation of Listed Systems That Process Safeguards and/or\nClassified Information,\xe2\x80\x9d dated August 4, 2005. Each standalone PC or laptop used to process\nsafeguards and/or classified information requires a security plan that describes the security\ncontrols in place for the PC or laptop. The security plan describes the required security controls,\nincluding requirements for updating virus and operating system software. The evaluation found\nthat some security controls for standalone PCs and laptops that are used to process safeguards\nand/or classified information are not being implemented as required because the agency has no\nprocedures in place for verifying that security controls described in a system\xe2\x80\x99s security plan are\nactually being implemented.\n\n\n\n\n8\n    Sensitive equipment is any accountable property that is desirable for personal use and can be easily removed from\n    the premises.\n\n\n                                                           2\n\x0c                                                                        Security Controls for Standalone PCs and Laptops\n\n\n\n3.1.2 Standalone PCs and Laptops Not Used to Process Safeguards and/or Classified\n      Information\n\nCarson Associates met with IT coordinators from 3 out of 30 NRC offices9 and found that\nsecurity controls for standalone PCs and laptops that are not used to process safeguards and/or\nclassified information are not adequate. The three IT coordinators interviewed for this report\nstated that users are required to sign a Form 119, \xe2\x80\x9cCustodial Receipt for Sensitive Personal\nProperty,\xe2\x80\x9d when assigned a standalone PC or laptop. NRC Form 119 is used to establish\nresponsibility for the physical protection and safekeeping of sensitive items, but does not provide\nusers with guidance on implementing security controls on the PC or laptop and does not assign\nthe user responsibility for implementing security controls on the PC or laptop. None of the\noffices contacted for this evaluation have procedures in place for verifying that all required\nsecurity controls are being implemented on standalone PCs and laptops that are not used to\nprocess safeguards and/or classified information. The following are two security controls that\nwere found to be inadequate for standalone PCs and laptops that are not used to process\nsafeguards and/or classified information.\n\n    \xe2\x80\xa2    Virus Updates. IT coordinators in the three offices contacted by Carson Associates\n         described varying practices employed by their office to ensure virus software updates are\n         performed on a routine basis. In one office, virus updates are not performed on\n         standalone PCs and laptops, primarily because users view the requirement as\n         cumbersome and difficult to achieve for PCs and laptops that are not connected to the\n         NRC LAN. Users in another office are sometimes given verbal instructions on how to\n         download and install the updates. A third office is currently developing rules of\n         behavior10 that users must sign when given a laptop or PC. The rules of behavior include\n         a requirement to update the virus definitions at the beginning of each usage session, but\n         provide no guidance on how to perform the updates. The requirement to sign these rules\n         of behavior has not been fully implemented, and users in this office are not currently\n         provided guidance on the installation of virus updates.\n    \xe2\x80\xa2    Software Updates. None of the three offices contacted by Carson Associates (1) notify\n         users that they are responsible for performing software updates on standalone PCs or\n         laptops or (2) provide any guidance on how to perform the updates. PCs and laptops can\n         be configured to perform automatic operating system updates when new updates are\n         available. Updates would occur only when the standalone PC or laptop is connected to\n         the Internet. However, users are not informed that this feature is enabled or that they\n         should periodically connect to the Internet to ensure installation of the latest updates.\n         Furthermore, they are not notified they should not disable the automatic update feature or\n9\n  Carson Associates focused on meeting with IT coordinators for offices that have standalone PCs and laptops that\n   are used to process safeguards and/or classified information. Of the 30 offices listed on the IT coordinators\n   contact sheet, only 10, plus the 4 regions, have standalone PCs and laptops that meet this criteria. Carson\n   Associates did not include any IT coordinators from the regions as we wanted to conduct face-to-face interviews.\n   In addition to the three IT coordinators Carson Associates met with, we contacted IT coordinators for another five\n   offices. Of the five, three did not return our phone call, and two referred us to another point of contact, but not in\n   enough time to arrange an interview. We feel that by including the Office of Nuclear Material Safety and\n   Safeguards and the Office of Nuclear Regulatory Research we covered offices with many of the standalone PCs\n   and laptops.\n10\n    These draft rules of behavior can be found in Appendix B.\n\n\n                                                            3\n\x0c                                                             Security Controls for Standalone PCs and Laptops\n\n\n\n           change the frequency of the automatic updates. As noted above, one office is currently\n           developing rules of behavior that include a requirement to leave automatic updating\n           turned on and configured to update every 24 hours. However, the requirement to sign\n           these rules of behavior has not been fully implemented, and users in this office are not\n           currently provided guidance on performing software updates.\n\nSecurity controls for standalone PCs and laptops that are not used to process safeguards and/or\nclassified information are not adequate because users are not given sufficient guidance on\nimplementing security controls and the agency lacks a mechanism for assigning users\nresponsibility for implementing security controls on these PCs and laptops. In addition, the\nagency lacks procedures for verifying that all required security controls are being implemented\non standalone PCs and laptops that are not used to process safeguards and/or classified\ninformation.\n\nAlthough standalone PCs and laptops are not connected to the NRC LAN, PCs and laptops that\nare not used to process safeguards and/or classified information may be connected to the\nInternet. This is particularly so for laptops used during travel. While these standalone PCs and\nlaptops do not process safeguards or classified information, they may be used to process\nsensitive but unclassified information. Inadequate security controls, such as the lack of updated\nvirus definitions and operating system updates, could result in inadvertent release of sensitive\nNRC information when a standalone PC or laptop that is not used to process safeguards and/or\nclassified information is connected to the Internet. The SANS Internet Storm Center (part of the\nSANS Institute) continuously monitors the average time (survival time) it takes for an\nunprotected PC (i.e., missing critical security patches and no firewall) running Microsoft\nWindows to be compromised after being connected to the Internet.11 In June 2005, the average\nsurvival time was only 25 minutes.\n\nAs noted above, one office is developing rules of behavior that serve as an agreement between\nthe employee and the agency to ensure security controls are implemented as required. Rules of\nbehavior such as these serve as one mechanism for conveying to users their responsibility for\nimplementing security controls for standalone PCs and laptops.\n\nRECOMMENDATIONS\n\n       The Office of the Inspector General recommends that the Executive Director for Operations:\n\n       1. Provide users guidance for implementing security controls on standalone PCs and\n          laptops.\n       2. Develop and require users to sign a rules of behavior agreement accepting responsibility\n          for implementing security controls on standalone PCs and laptops.\n       3. Develop and implement procedures for verifying all required security controls are\n          implemented on standalone PCs and laptops.\n\n\n\n11\n     http://isc.sans.org/survivalhistory.php\n\n\n                                                    4\n\x0c                                                                     Security Controls for Standalone PCs and Laptops\n\n\n\n3.2        Standalone PCs and Laptops Are Not Monitored for Compliance with\n           Executive Order 13103\n\nExecutive Order 13103, Computer Software Piracy, requires all executive agencies to ensure\ncompliance with applicable copyright laws.12 The agency monitors for compliance PCs and\nlaptops that are connected to the NRC network. MD and Handbook 12.5 state users shall not\ninstall any computer program into the NRC computing environment if there is any question that\nthe computer program may not be properly licensed. MD and Handbook 12.5 also require users\nto obtain approval and adhere to software copyright laws before installing software on NRC\nsystems, including standalone PCs and laptops. Users must comply with software copyright\nlicense laws and policies that prohibit unauthorized use or copying of commercial software.\n\n3.2.1 Standalone PCs and Laptops Used to Process Safeguards and/or Classified\n      Information\n\nAs noted previously, the evaluation of security controls for listed systems was reported in OIG-\n05-A-14. The security plan required for standalone PC or laptop used to process safeguards\nand/or classified information states that the configuration of the laptop is controlled by the\ninformation systems security officer (ISSO) for the standalone PC or laptop. The ISSO is\nresponsible for installing and performing updates to software. Users of the laptop are required to\nsign an acknowledgment indicating their complete understanding of the plan.\n\n3.2.2 Standalone PCs and Laptops Not Used to Process Safeguards and/or Classified\n      Information\n\nCarson Associates met with IT coordinators from 3 out of 30 NRC offices and found there are no\nprocedures in place for facilitating or monitoring compliance with Executive Order 13103 for\nstandalone PCs and laptops that do not process safeguards and/or classified information and are\nnot covered by the ISSC.\n\nIT coordinators in two offices do not inform users not to install other software and have no\nmechanism for monitoring compliance with Executive Order 13103. When issuing a standalone\nPC or laptop, one office\xe2\x80\x99s IT coordinator informs users not to install other software. This office\nis developing rules of behavior that users must sign when given a laptop or PC. The rules\ninclude a requirement not to load unapproved applications on the PC or laptop, and include a\nstatement that the PC or laptop can be called in for inspection at any time to check for\ncompliance with the rules of behavior. However, the requirement to sign these rules of behavior\nhas not been fully implemented.\n\nStandalone PCs and laptops that are not used to process safeguards and/or classified information\nare not monitored for compliance with Executive Order 13103 because they are not connected to\nthe NRC LAN and there is no mechanism in place for monitoring standalone PCs and laptops\nthat are not covered by the ISSC. As a result, the agency does not know its degree of compliance\n\n12\n     Copyright Law is contained in Title 17 of the United States Code. The Copyright Revision Act of 1976 (Public\n     Law 94-553), effective January 1, 1978, was amended in 1980 to include computer software under the category of\n     \xe2\x80\x9cliterary works.\xe2\x80\x9d\n\n\n                                                           5\n\x0c                                                                         Security Controls for Standalone PCs and Laptops\n\n\n\nwith software licenses for standalone PCs and laptops, which makes NRC, its employees, and its\ncontractors vulnerable to the consequences of unauthorized software use. Such consequences\ncould include fines and even imprisonment.\n\nRECOMMENDATIONS\n\n       The Office of the Inspector General recommends that the Executive Director for Operations:\n\n       4. Provide users guidance on compliance with Executive Order 13103, Computer Software\n          Piracy, for standalone PCs and laptops.\n       5. Develop and require users to sign a rules of behavior agreement acknowledging their\n          compliance with Executive Order 13103, Computer Software Piracy, for standalone PCs\n          and laptops.\n       6. Develop and implement procedures for monitoring compliance with Executive Order\n          13103, Computer Software Piracy, for standalone PCs and laptops.\n\n3.3         IT Coordinators\xe2\x80\x99 Understanding of Disposal Practices for Standalone PCs\n            and Laptops Is Inconsistent\n\nMD and Handbook 2.6, Information Technology Infrastructure, describe the procedures for IT\nequipment removal requests. IT coordinators should make requests for removal of excess\ndesktop workstations and related hardware to the Office of Information Services (OIS) Customer\nSupport Center or through an Office of Administration Labor Services request.13 Equipment is\ntaken to a specific room on the 2nd floor of One White Flint where OIS staff sort, redistribute, or\narrange for disposal of the items. OIS staff either wipe14 hard drives with an overwrite process\nor, if that is not possible, remove and destroy the hard drive. These procedures apply only to IT\nequipment that is not used to process safeguards and/or classified information.\n\nAccording to the National Telecommunication and Information Systems Security Advisory\nMemorandum (NTISSAM), dated January 16, 1987, when an office automation system (i.e., a\nPC or laptop) has outlived its usefulness and has become obsolete, or when it has become\ndamaged beyond repair, it must be disposed of properly. If the system has been used to process\nor store classified or sensitive, but unclassified, information (i.e., safeguards), certain precautions\nshould be taken before the system can be disposed of through normal channels. These\nprecautions will help to prevent the compromise of any classified or sensitive, but unclassified,\ninformation remaining in the system after it is beyond the control of the organization that once\nused it. The NTISSAM states that any removable media that once contained classified or\nsensitive but unclassified information that is not going to be reused should be either declassified\nor destroyed.\n\n\n13\n      NRC Form 30, Request for Administrative Services, is used to submit a Labor Services request.\n14\n      \xe2\x80\x9cWipe\xe2\x80\x9d is a term used to describe a process for removing sensitive data from a hard drive in such a way that there\n     is assurance, proportional to the sensitivity of the data, that the data may not be reconstructed using normal system\n     capabilities. Overwriting, which is a software process that replaces the data previously stored on magnetic storage\n     media with a predetermined set of meaningless data, is a common method of \xe2\x80\x9cwiping\xe2\x80\x9d a hard drive.\n\n\n                                                              6\n\x0c                                                                      Security Controls for Standalone PCs and Laptops\n\n\n\nThe National Computer Security Center \xe2\x80\x9cA Guide to Understanding Data Remanence in\nAutomated Information Systems,\xe2\x80\x9d dated September 1991, defines declassification as a procedure\nand an administrative action to remove the security classification of the subject media. The\nprocedural aspect of declassification is the actual purging15 of the media and removal of any\nlabels denoting classification, possibly replacing them with labels denoting that the storage\nmedia is unclassified. The guide also states that purging must be used when media is released\nfrom a secure facility to a non-cleared maintenance facility or similar non-secure environment.\nThe NSA approves methods for purging media.\n\nMD and Handbook 12.2, NRC Classified Information Security Program, and MD and Handbook\n12.6, NRC Sensitive Unclassified Security Program, describe procedures for handling classified\nand safeguards information. MD and Handbooks 12.2 and 12.6 only discuss disposal of\nsafeguards and/or classified waste that can be destroyed by shredding. The MDs and Handbooks\ndo not describe disposal procedures for electronic media, such as hard drives (fixed and\nremovable) used to process classified and/or safeguards information, nor do they refer the reader\nto the MDs and Handbooks in Volume 12, Security, that do describe the appropriate disposal\nmethods for hard drives that were used to process classified and/or safeguard information.\n\nMD and Handbook 12.5, NRC Automated Information Security Program, also describe\nprocedures for processing safeguards and classified information. MD and Handbook 12.5 state\nthat special approaches should be used to delete safeguards and classified data from electronic\nstorage media. These approaches may include destruction of the physical media, obliteration of\nthe sensitive data through the use of an approved software product, or erasure of all data through\ndegaussing.16 Questions regarding the appropriate method for eliminating safeguards or\nclassified data from a storage medium should be referred to the Computer Security Staff.\n\n3.3.1 Standalone PCs and Laptops Used to Process Safeguards and/or Classified\n      Information\n\nCarson Associates met with IT coordinators from three NRC offices and spoke with staff from\nthe Division of Facilities and Security (DFS) and the Office of Nuclear Security and Incident\nResponse (NSIR) regarding the disposal of removable hard drives used in standalone PCs and\nlaptops that are used to process safeguards and/or classified information. The three IT\ncoordinators interviewed have not actually disposed of any standalone PCs or laptops that are\nused to process safeguards and/or classified information. However, they described the\nprocedures they would follow if the situation arises.\n\nCarson Associates found that the disposal procedures described by the IT coordinators for\nstandalone PCs and laptops that are used to process safeguards and/or classified information\nwere inconsistent and not always in accordance with policy and guidance from NSA and NRC.\n\n\n15\n    Purging is the removal of sensitive data from an automated information system in such a way that there is\n   assurance, proportional to the sensitivity of the data, that the data may not be reconstructed through open-ended\n   laboratory techniques.\n16\n    Degaussing is a procedure that uses specialized devices that generate a magnetic field used to render any\n   previously stored data on magnetic media unreadable.\n\n\n                                                           7\n\x0c                                                          Security Controls for Standalone PCs and Laptops\n\n\n\n\n   \xe2\x80\xa2   One IT coordinator stated they would instruct the PC/laptop user to erase any sensitive\n       information from the PC/laptop before returning it. The IT coordinator would then check\n       the laptop for any sensitive files or folders, and then remove them before following the\n       equipment removal procedures described in MD and Handbook 2.6. The procedures\n       described by this IT coordinator are not in compliance with the guidance described\n       above.\n   \xe2\x80\xa2   Another IT coordinator stated they would use software to wipe the drive and then ask the\n       OIS Computer Security Staff what to do with the PC/laptop. This procedure is in\n       compliance with the guidance described above, but only if the IT coordinator has the\n       proper clearance for handling the type of data stored on the PC or laptop.\n   \xe2\x80\xa2   Another IT coordinator stated they would use an Office of Administration Labor Services\n       request specifying the equipment be sent to DFS. MD and Handbook 12.5 have separate\n       sections that discuss processing safeguards and/or classified information (sections 2.6.2\n       and 2.6.3 respectively). Section 2.6.2 states that all media must be properly labeled,\n       stored, sanitized, and disposed of as specified in MD 12.2, and Section 2.6.3 states that\n       disks, diskettes, ribbons, and printouts must be disposed of in accordance with MD 12.6.\n       However, as stated previously, MD and Handbooks 12.2 and 12.6 do not describe\n       procedures for disposal of magnetic media, nor do they refer the reader to the MDs and\n       Handbooks that do describe the appropriate disposal methods. Destruction of storage\n       media is not discussed in MD and Handbook 12.5 until Section 2.6.12. A reader\n       unfamiliar with MD and Handbook 12.5 who is interested in disposal procedures for\n       electronic media that are used to process safeguards and/or classified information may\n       not read all of MD and Handbook 12.5, but only read Sections 2.6.2 and 2.6.3. There are\n       two places in Section 2.6.12 that discuss disposal of electronic media. The first statement\n       in Section 2.6.12 pertaining to disposal of electronic media is that \xe2\x80\x9cremovable magnetic\n       storage media, such as diskettes and tapes that contain classified or sensitive information,\n       should not be disposed of in regular waste containers. These media should be sent to\n       DFS for retention or destruction.\xe2\x80\x9d It is unclear whether this statement applies to hard\n       drives, as a hard drive is not something that is typically disposed of in a regular waste\n       container. The second statement in Section 2.6.12 pertaining to disposal procedures is \xe2\x80\x9cif\n       hard disk drives are removed from or replaced in a workstation, the hard drive that is\n       removed should be unconditionally formatted before removal. If this is not possible, hard\n       disks should be degaussed or sent to DFS for retention or destruction.\xe2\x80\x9d It is not clear\n       whether this statement applies to all hard disk drives, or only those that do process\n       safeguards and/or classified information. The term \xe2\x80\x9cunconditionally formatted\xe2\x80\x9d is also\n       not defined.\n   \xe2\x80\xa2   In comments provided to the OIG, the agency stated that DFS has an arrangement with\n       the NSA for the disposal of hard drives and media. This arrangement was mentioned by\n       more than one staff member contacted during this evaluation; however the agency has no\n       documentation to support the existence of this arrangement.\n\nCarson Associates also spoke with a staff member from NSIR to discuss that office\xe2\x80\x99s disposal\nprocedures. NSIR requires that all equipment used to process classified information have their\nhard drives removed before the equipment can be removed from NSIR. In the past, disposal of\nthe hard drives was coordinated with a member of the OIS Computer Security Staff. This\n\n\n                                                8\n\x0c                                                          Security Controls for Standalone PCs and Laptops\n\n\n\nindividual no longer works in this position; subsequently, NSIR is storing the hard drives in an\napproved storage container until arrangements can be made for their disposal.\n\nDisposal practices described by the IT coordinators for standalone PCs and laptops that are used\nto process safeguards and/or classified information are inconsistent because the NRC MDs and\nHandbooks that compose Volume 12, Security, do not clearly describe the disposal process and\nwho is responsible for administration of the disposal process. For example, MD and Handbooks\n12.2 and 12.6 state that DFS \xe2\x80\x9cplans, develops, establishes, and administers policies, standards,\nand procedures\xe2\x80\x9d for the NRC classified and sensitive unclassified information security programs.\nHowever, MD and Handbook 12.1 state that NSIR is responsible for administering the\ninformation security programs, and MD and Handbook 12.5 state that NSIR is responsible for\nmanaging NRC information security programs that specifically deal with the classification,\ndeclassification, and handling of classified, safeguards, and sensitive information. In comments\nprovided to the OIG, the agency stated that DFS is responsible for the development and\nadministration of policies, standards, and procedures for destruction of classified and sensitive\ninformation; however this fact is not clearly stated in any of the MDs and Handbooks that\ncompose Volume 12.\n\nAnother example of unclear guidance is in the security plan templates required for standalone\nPCs and laptops used to process safeguards and/or classified information. Both templates refer\nthe reader back to MD and Handbooks 12.2 and 12.6 for procedures on the destruction of\nmagnetic media containing safeguards and/or classified information. However, as stated\npreviously, MD and Handbooks 12.2 and 12.6 do not describe procedures for disposal of\nmagnetic media, nor do they refer the reader to the MDs and Handbooks that do describe the\nappropriate disposal methods.\n\nWithout clearly defined procedures for the disposal of standalone PCs and laptops used to\nprocess classified information, the agency may not be in compliance with policy and guidance\nfrom NSA.\n\nRECOMMENDATIONS\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   7. Develop detailed procedures in the appropriate Management Directives for the disposal\n      of equipment used to process safeguards and/or classified information. These procedures\n      should then be referenced in the appropriate chapters of the Volume 12 series of\n      directives.\n   8. Include the procedures for the disposal of equipment containing safeguards and/or\n      classified information in the security plan templates.\n\n\n\n\n                                                9\n\x0c                                                        Security Controls for Standalone PCs and Laptops\n\n\n\n3.3.2 Standalone PCs and Laptops Not Used to Process Safeguards and/or Classified\n      Information\n\nThe three IT coordinators Carson Associates interviewed for this evaluation follow the disposal\nprocess described MD and Handbook 2.6 for disposing standalone PCs and laptops not used to\nprocess safeguards and/or classified information. Carson Associates also met with staff from\nOIS responsible for handling IT equipment sent for disposal and verified that OIS maintains logs\nof incoming and outgoing equipment.\n\n\n\n\n                                               10\n\x0c                                                         Security Controls for Standalone PCs and Laptops\n\n\n\n4      Consolidated List of Recommendations\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n    1. Provide users guidance for implementing security controls on standalone PCs and\n       laptops.\n    2. Develop and require users to sign a rules of behavior agreement accepting responsibility\n       for implementing security controls on standalone PCs and laptops.\n    3. Develop and implement procedures for verifying all required security controls are\n       implemented on standalone PCs and laptops.\n    4. Provide users guidance on compliance with Executive Order 13103, Computer Software\n       Piracy, for standalone PCs and laptops.\n    5. Develop and require users to sign a rules of behavior agreement acknowledging their\n       compliance with Executive Order 13103, Computer Software Piracy, for standalone PCs\n       and laptops.\n    6. Develop and implement procedures for monitoring compliance with Executive Order\n       13103, Computer Software Piracy, for standalone PCs and laptops.\n    7. Develop detailed procedures in the appropriate Management Directives for the disposal\n       of equipment used to process safeguards and/or classified information. These procedures\n       should then be referenced in the appropriate chapters of the Volume 12 series of\n       directives.\n    8. Include the procedures for the disposal of equipment containing safeguards and/or\n       classified information in the security plan templates.\n\n\n\n\n                                               11\n\x0c                                                         Security Controls for Standalone PCs and Laptops\n\n\n\n5      OIG Response to Agency Comments\n\nOIG provided this report in draft to agency officials and discussed its content at an exit\nconference on August 25, 2005. We modified the report as we determined appropriate in\nresponse to our discussion. Agency officials generally agreed with the report\xe2\x80\x99s findings and\nrecommendations and opted not to include formal comments.\n\n\n\n\n                                               12\n\x0c                                                                    Appendix A \xe2\x80\x93 Scope and Methodology\n                                                         Security Controls for Standalone PCs and Laptops\n\n\nSCOPE AND METHODOLOGY\n\nTo perform the evaluation of the NRC security policies, procedures, practices, and controls for\nPCs and laptops, Carson Associates reviewed NRC policies on automated information systems\nsecurity, information technology infrastructure, and property management. Carson Associates\ninterviewed staff responsible for the ISSC, property management, and property disposal, and met\nwith IT coordinators from three NRC offices.\n\nOne area of particular concern addressed in this evaluation was disposal procedures for\nstandalone PCs and laptops that are used to process safeguards and/or classified information.\nCarson Associates reviewed several NRC management directives in order to understand the\ndisposal procedures. Our review focused primarily on the Volume 12, Security, series of\nmanagement directives. Volume 12 comprises the following management directives and\nhandbooks:\n\n   \xe2\x80\xa2   12.1, NRC Facility Security Program, April 14, 2004\n   \xe2\x80\xa2   12.2, NRC Classified Information Security Program, April 27, 1999\n   \xe2\x80\xa2   12.3, NRC Personnel Security Program, April 27, 2004\n   \xe2\x80\xa2   12.4, NRC Telecommunications Systems Security Program, December 8, 1999\n   \xe2\x80\xa2   12.5, NRC Automated Information Security Program, September 12, 2003\n   \xe2\x80\xa2   12.6, NRC Sensitive Unclassified Information Security Program, December 20, 1999\n\nCarson Associates also reviewed the following management directives and handbooks:\n\n   \xe2\x80\xa2   2.6, Information Technology Infrastructure, March 7, 2005\n   \xe2\x80\xa2   13.1, Property Management, January 14, 2002\n\nThe work was conducted from June 2005 to August 2005 in accordance with guidelines from the\nNational Institute of Standards and Technology, and best practices for evaluating security\ncontrols. Jane Laroussi from Carson Associates conducted the work.\n\n\n\n\n                                               13\n\x0c                                   Appendix A \xe2\x80\x93 Scope and Methodology\n                        Security Controls for Standalone PCs and Laptops\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              14\n\x0c                                                               Appendix B \xe2\x80\x93 Sample Rules of Behavior\n                                                     Security Controls for Standalone PCs and Laptops\n\n\n\n\n  Rules of Behavior for Government Furnished Laptops, PDAs, and Cell Phones\n                  and Other Small, Portable Electronic Devices\n\n\n1.0 Introduction\n\nThe United States Nuclear Regulatory Commission has purchased the item described\nbelow for the use of the identified NRC employee below in accomplishing her or his\nmission. The purpose of this \xe2\x80\x9cRules of Behavior\xe2\x80\x9d agreement between the employee and\nthe agency is to help ensure that the item is used in a manner consistent with\ninformation security and compliance NRC management directives and Federal\nrequirements (e.g., FISMA).\n\nSome sections of this agreement may not apply because the device or item does not\nhave the listed capability. In that case, simply cross out that section and write \xe2\x80\x9cdoes not\napply\xe2\x80\x9d next to the section.\n\n\n2.0 Name of the Employee to whom this agreement applies\n\n2.1 Employee Name: _________________________________\n\n2.2 Employee Room Number: __________________________\n\n2.3 Employee Phone Number: _____ ____________________\n\n\n3.0 Description of the Item:\n\n3.1 Item Description: ______________________________________________\n    (i.e., Dell Laptop, Palm PDA, etc.)\n\n3.2 Item\xe2\x80\x99s NRC Tag Number: _______________________________________\n\n3.3 Item\xe2\x80\x99s Location: _______________________________________________\n\n\n                                       Page 1 of 3\n\n\n\n                                            15\n\x0c                                                               Appendix B \xe2\x80\x93 Sample Rules of Behavior\n                                                     Security Controls for Standalone PCs and Laptops\n\n\n\n\n4.0 Employee Behavior Requirements\n\n4.1 For items with built-in camera components\n\nIn accordance with MD 12.1, Part II, (A)(iii), "Use of the camera component of the\nequipment inside NRC buildings is prohibited without the prior approval by the Director,\nDFS."\n\nI agree not to use within the NRC Headquarters complex or any NRC regional office the\ncamera component of the item described in section 3.0 above, which was purchased\nwith NRC funds for official business use, without the prior approval of the Director,\nDivision of Facilities and Security. Further, I will assure that the camera component will\nbe securely stored and carefully accounted for and that all individuals who may have\naccess to or may use the equipment have also been advised of restrictions with respect\nto its use.\n\n\n4.2 For items with Blue Tooth\n\nThe RES/PMDA staff has delivered the item with Blue Tooth disabled. I agree to leave\nthe blue tooth capability of the device disabled.\n\n\n4.3 For items with wireless capability (e.g., laptops or PDAs with 802.11a, b, or g\n{or newer} capability.)\n\nThe RES/PMDA staff has delivered the item with wireless network access disabled. I\nagree to leave the wireless capability of the device disabled.\n\n\n4.4 Norton Antivirus\n\nThe RES/PMDA staff has delivered the item with Norton Antivirus installed and updated.\nI agree to update the Norton Antivirus signatures at the beginning of each usage\nsession.\n\n\n4.5 Windows Update\n\nThe RES/PMDA staff has delivered the item with automatic windows updating turned on\nand with a frequency of update of once every 24 hours. I agree to leave the automatic\nwindows updating turned on and configured to update every 24 hours.\n\n\n                                       Page 2 of 3\n\n\n\n                                            16\n\x0c                                                              Appendix B \xe2\x80\x93 Sample Rules of Behavior\n                                                    Security Controls for Standalone PCs and Laptops\n\n\n\n\n4.6 Use only of Approved Software Applications\n\nThe RES/PMDA staff has delivered this item with only approved software applications\non the device. I agree not to load unapproved or unlicensed applications on the device.\nThis includes games, American Online Software, and Instant Messaging Software.\n\n\n5.0 Rules of Behavior Agreement and Signature\n\nI, _________________________________, agree to abide by these rules of behavior. I\nunderstand that at any time, RES/PMDA staff may call in the device/item covered by\nthis agreement and inspect it for compliance with this agreement. I agree to fully\ncooperate in such inspections by making the device available to RES/PMDA staff at\nNRC headquarters.\n\n\n\n_____________________________________________                             _________\n                  Signature                                                 Date\n\n\n\n\n                                      Page 3 of 3\n\n\n\n                                           17\n\x0c                                  Appendix B \xe2\x80\x93 Sample Rules of Behavior\n                        Security Controls for Standalone PCs and Laptops\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              18\n\x0c'